[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: out-of-band key management is like virtual circuits

To: ipng@sunroof2.eng.sun.com, ipsec@ans.net, Danny.Nessett@eng.sun.com (Dan Nessett)
Subject: Re: out-of-band key management is like virtual circuits
From: "Housley, Russ" <housley@spyrus.com>
Date: Mon, 27 Feb 95 09:17:38
Encoding: 1420 Text


Hi Dan.

In IEEE 802.10, when we were developing the Secure Data Exchange (SDE) 
Protocol, this same "in-line" key issue surfaced.  It was resolved in a 
manner that has not been considered by the IETF.  The solution has pros and 
cons, but I think that it should be considered before a decision is made.

SDE has a 32-bit SAID that is followed by an optional field, called the 
Management Defined Field (MDF).  DEC pushed very hard for this field 
because they wanted the SAID to identifiy a Master Key that would be used 
to decrypt the contents of the MDF.  The MDF carried the key or keys to 
decrypt and/or check the integrity of the payload.

SKIP is the same idea.  SKIP sderives the Master Key using D-H key 
agreement instead of out-of-band master key distribution.

This alternative would permit the approach advocated by DEC, and it would 
accompdate the SKIP approach.

Using a bit in the SAID to indicate the presence/absence of the MDF (or 
whatever we call it for IPSP) would avoid the need for a key management 
protocol to negotiate the attributes for the security association.  Perhaps 
a reserved SAID would indicate that the key management technique used by 
SKIP should be used to generate the key to decrypt the MDF.

I just do not see why we cannot architect an IP layer security protocol 
that permits both types of key management.

More food for thought....

Russ

Prev by Date: RE: unsubscribe me please
Next by Date: Re: WG last call for IPv4 AH and ESP
Prev by thread: RE: out-of-band key management is like virtual circuits
Next by thread: WG last call for IPv4 MD5
Index(es):
- Main
- Thread